################################################################################
# RSYSLOG.CONF - central logging server                                        #
################################################################################
#                                    N O T E                                   #
#------------------------------------------------------------------------------#
# This rsyslog configuration is suitable for a central log host. This is not   #
# intended for a normal server.                                                #
#                                                                              #
# This config was built and tested for rsyslog version rsyslog-2.0.0.          #
################################################################################

#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#                                M O D U L E S                                 #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
$ModLoad immark.so # mark messages
$MarkMessagePeriod 1200 # every 20 minutes
$ModLoad imudp.so #udp sockets
$ModLoad imtcp.so #tcp socks
$ModLoad imuxsock # local syslog() listener
$ModLoad imklog # local klog logging


#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#                        G L O B A L   S E T T I N G S                         #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
$umask 0000
$CreateDirs on
$DirCreateMode 0755
$FileCreateMode 0644
$FileOwner root
$FileGroup root
$RepeatedMsgReduction on
$EscapeControlCharactersOnReceive off
$UDPServerRun 514
$InputTCPMaxSessions 2000
$InputTCPServerRun 514
$InputTCPServerRun 5000	
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0

#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#                              T E M P L A T E S                               #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#

$template CustomFormat,"%TIMESTAMP% %FROMHOST% %HOSTNAME% %syslogtag%%msg%\n"
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
$template MergeFormat,"%timegenerated% %FROMHOST% %syslogtag%%msg%\n"
$template RawMessage,"%msg:2:2048%\n"


#------------------------------------------------------------------------------#
# templates for merged remote logging                                                 #
#------------------------------------------------------------------------------#
$template m_messages, "/var/log/merged/messages.log"
$template m_secure, "/var/log/merged/secure.log"
$template m_mail, "/var/log/merged/mail.log"
$template m_cron, "/var/log/merged/cron.log"
$template m_spooler, "/var/log/merged/spooler.log"
$template m_boot, "/var/log/merged/boot.log"
$template m_kern, "/var/log/merged/kernel.log"
$template m_audit, "/var/log/merged/audit.log"
$template m_http_error, "/var/log/merged/http_error.log"
$template m_http_apps, "/var/log/merged/apps.log"

#------------------------------------------------------------------------------#
# templates for remote logging                                                 #
#------------------------------------------------------------------------------#
$template r_messages, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/messages.log"
$template r_secure, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/secure.log"
$template r_mail, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/mail.log"
$template r_cron, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/cron.log"
$template r_spooler, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/spooler.log"
$template r_boot, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/boot.log"
$template r_kern, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/kernel.log"
$template r_audit, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/audit.log"
$template r_http_error, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/http_error.log"
$template r_http_apps, "/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/apps.log"

#------------------------------------------------------------------------------#
# templates for http logging                                                   #
#------------------------------------------------------------------------------#
$template HttpAccessTemplate,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/http/%APP-NAME%"
$template HttpErrorTemplate,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/http/%APP-NAME%"

#------------------------------------------------------------------------------#
# templates for local logging                                                  #
#------------------------------------------------------------------------------#
$template l_messages, "/var/log/messages"
$template l_secure, "/var/log/secure"
$template l_mail, "/var/log/maillog"
$template l_cron, "/var/log/cron"
$template l_spooler, "/var/log/spooler"
$template l_boot, "/var/log/boot.log"
$template l_idgaud, "/var/log/idgaudit.log"
$template l_idgsys, "/var/log/idgsystem.log"

#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#                         R E M O T E   L O G G I N G                          #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#

#------------------------------------------------------------------------------#
# remote messages log                                                          #
#------------------------------------------------------------------------------#
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none	?r_messages;TraditionalFormat

#------------------------------------------------------------------------------#
# remote auth/secure log                                                       #
#------------------------------------------------------------------------------#
authpriv.*					-?r_secure;TraditionalFormat

#------------------------------------------------------------------------------#
# remote mail log                                                              #
#------------------------------------------------------------------------------#
mail.*						-?r_mail;TraditionalFormat

#------------------------------------------------------------------------------#
# remote cron log                                                              #
#------------------------------------------------------------------------------#
cron.*						?r_cron;TraditionalFormat

#------------------------------------------------------------------------------#
# remote spool log                                                             #
#------------------------------------------------------------------------------#
uucp,news.crit					?r_spooler;TraditionalFormat

#------------------------------------------------------------------------------#
# remote audit log                                                              #
#------------------------------------------------------------------------------#
local6.*					?r_audit;TraditionalFormat


#------------------------------------------------------------------------------#
# remote http_error log                                                              #
#------------------------------------------------------------------------------#
local5.*					?r_http_error;TraditionalFormat

#------------------------------------------------------------------------------#
# remote http app log                                                              #
#------------------------------------------------------------------------------#
local4.*					?r_http_apps;TraditionalFormat


#------------------------------------------------------------------------------#
# remote boot log                                                              #
#------------------------------------------------------------------------------#
local7.*					?r_boot;TraditionalFormat

#------------------------------------------------------------------------------#
# remote kernel log                                                            #
#------------------------------------------------------------------------------#
kern.*						?r_kern;TraditionalFormat



#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#                     MERGED  R E M O T E   L O G G I N G                          #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#

#------------------------------------------------------------------------------#
# remote messages log                                                          #
#------------------------------------------------------------------------------#
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none	?m_messages;MergeFormat

#------------------------------------------------------------------------------#
# remote auth/secure log                                                       #
#------------------------------------------------------------------------------#
authpriv.*					-?m_secure;MergeFormat

#------------------------------------------------------------------------------#
# remote mail log                                                              #
#------------------------------------------------------------------------------#
mail.*						-?m_mail;MergeFormat

#------------------------------------------------------------------------------#
# remote cron log                                                              #
#------------------------------------------------------------------------------#
cron.*						?m_cron;MergeFormat

#------------------------------------------------------------------------------#
# remote spool log                                                             #
#------------------------------------------------------------------------------#
uucp,news.crit					?m_spooler;MergeFormat


#------------------------------------------------------------------------------#
# remote boot log                                                              #
#------------------------------------------------------------------------------#
local7.*					?m_boot;MergeFormat

#------------------------------------------------------------------------------#
# remote kernel log                                                            #
#------------------------------------------------------------------------------#
kern.*						?m_kern;MergeFormat

#------------------------------------------------------------------------------#
# remote http_error
#------------------------------------------------------------------------------#
local5.*					?m_http_error;MergeFormat

#------------------------------------------------------------------------------#
# remote http_apps
#------------------------------------------------------------------------------#
local4.*					?m_http_apps;MergeFormat


#------------------------------------------------------------------------------#
# remote audit log                                                              #
#------------------------------------------------------------------------------#
#this means: if log message does not contain 'type=AVC' then drop it
# this is only for the merged logs from auditd
:msg, !contains, "type=AVC" ~
local6.*					?m_audit;MergeFormat
